Helm chart, development documentation, namespace control (#4)

* Adding helm chart, adding documentation on testing with kind, delete the examples dir since helm takes care of what it was trying to accomplish

* Readme formatting

* Additional next steps

NEXT_STEPS.md

@@ -6,8 +6,10 @@ Documenting a roadmap for future features.
 
 - Option to use mounted secret instead of env var
 - Watch for updates to secrets and update the k8s secret
-- Either have a helm chart or use kustomize to make deployment easier for users
-- Right now this puts secrets into the namespace it is deployed to, should be able to provide the namespace as a param
 - Need some kind of validation on secret names, have to be lowercase, no underscores, etc.
-- Need to set up a better way to develop
-- Create CONTRIBUTING.md and pull_request_template.md
+- Create CONTRIBUTING.md and pr template, changelog
+- Helm chart publishing
+- Could probably mount the hooks to make testing faster?
+- The operator should be able to delete secrets it has created, but not secrets it doesn't
+    - Maybe an annotation could do this.
+- Add linting for helm chart?, shell scripts

README.md

@@ -1,38 +1,107 @@
-# Bitwarden Secrets Manager kopf k8s Operator
+# Bitwarden Secrets Manager Operator
 
 The intent of this project is to create an operator that will sync secrets from bitwarden secrets manager to a cluster's secrets.
 
-## Usage
+## Usage & Installation
+
+### Prerequisites
+
+#### Required Packages
+
+The deployment mechanism used for project is helm. [Helm will need to be installed](https://helm.sh/docs/intro/install/).
+
+#### Bitwarden Secrets Manager Secret Deployment
+
+It is assumed that you have a secret that is usable by the bitwarden secrets manager CLI
+to authenticate to the bitwarden secrets manager service. Instruction on how to create this secret
+can be found [here](https://bitwarden.com/help/access-tokens/).
+
+Here is an example manifest of the secret using the default values within the helm chart.
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: bwsm-sa-token
+  namespace: MyNamespace
+stringData:
+  .secretAccessToken: MyVeryLongAndSecureSecret
+```
+
+As with any secret please be careful and judicious on where you store this.
+
+You may deploy this secret prior to the helm installation, or you can apply it after the helm installation.
+
+### Installation
 
 ```bash
-# Configure reused variables
-DOCKER_REPOSITORY=REPLACEME
-CONTAINER_NAME=bwsm_k8s_operator
-CONTAINER_VERSION=latest
-
-# Build container, replace
-docker build . -t $DOCKER_REPOSITORY/$CONTAINER_NAME:$CONTAINER_VERSION
-
-# Push to registry
-docker push $DOCKER_REPOSITORY/$CONTAINER_NAME:$CONTAINER_VERSION
-
-# Kubectl apply the shell operator configured for bwsm
-##### NOTE!!!!! #####
-##### You will need to update the shell-operator.yaml with the container image you pushed #####
-##### You will also need to provide the secret token for the service account in the bws_secret.yaml #####
-kubectl apply -f ./examples/
-
-# Kubectl apply a test secret
-##### NOTE!!!!! #####
-##### You will need to replace the definition with a secret's UUID from bitwarden secrets manager
-kubectl apply  -f ./test/
-
-# View logs and check the secret was created
-kubectl -n shell-operator get pods
-kubectl -n shell-operator logs POD_NAME -f
-kubectl get secrets
+helm upgrade MyRelease ./charts/bitwarden_secrets_manager_operator/ \
+-f /path/to/values.yaml --namespace MyNamespace \
+--create-namespace --install
+```
+
+### Clean Up
+
+```bash
+helm delete MyRelease
 ```
 
 ## Development
 
-TBD - Currently to test I build and push the container to a on prem server.
+### Prerequisites
+
+[Kind](https://github.com/kubernetes-sigs/kind) is required for development of this operator, see [installation instructions](https://kind.sigs.k8s.io/docs/user/quick-start/#installation).
+
+### Instructions
+
+```bash
+# Create the kind cluster
+kind create cluster
+
+# Verify Context
+kubectl config current-context
+> kind-kind
+
+# Build the docker container for local development
+docker build . -t bwsm:development
+
+# Load the image into kind
+kind load docker-image bwsm:development
+
+# Create the namespace and bitwarden secrets manager secret
+kubectl create ns bwsm
+kubectl apply -f /path/to/bwsm_token.yaml # Example in examples/bws_token.yaml
+
+# Deploy the helm chart
+helm upgrade bwsm ./charts/bitwarden_secrets_manager_operator/ \
+--namespace bwsm -f ./development/values.yaml \
+--create-namespace --install
+
+# Apply a test bitwarden secret object
+kubectl apply -f /path/to/bwsm_secret_resource.yaml # Example in examples/bws_test_resource.yaml
+
+# Delete the kind cluster
+kind delete cluster
+```
+
+### Commands for Easier Troubleshooting
+
+```bash
+# Follow the bwsm pod logs
+kubectl logs -n bwsm -f $(kubectl get pods -n bwsm -o json | jq -r '.items[0].metadata.name')
+```
+
+## Frameworks
+
+These are the "frameworks" or projects that are utilized to make bitwarden secrets manager to function.
+
+- https://github.com/flant/shell-operator
+- https://github.com/helm/helm/
+- https://github.com/bitwarden/sdk
+- https://github.com/kubernetes-sigs/kind
+
+## Disclaimer
+
+This project is in no way officially affiliated with the company Bitwarden. This is an
+FOSS project leveraging bitwarden's secrets manager.

charts/bitwarden_secrets_manager_operator/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+__snapshot__

charts/bitwarden_secrets_manager_operator/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: bwsm
+description: A Helm chart used to deploy a operator
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "v0.1.0"

charts/bitwarden_secrets_manager_operator/templates/NOTES.txt

@@ -0,0 +1,5 @@
+Congratulations you have installed the bitwarden secrets manager operator!
+
+There is an assumption that you have already deployed the kubernetes secret used to authenticate
+to bitwarden secrets manager. To begin using this operator check the README.md for examples on
+how to declare a bitwarden secret manager secret.

charts/bitwarden_secrets_manager_operator/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "bitwarden_secrets_manager_operator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "bitwarden_secrets_manager_operator.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "bitwarden_secrets_manager_operator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "bitwarden_secrets_manager_operator.labels" -}}
+helm.sh/chart: {{ include "bitwarden_secrets_manager_operator.chart" . }}
+{{ include "bitwarden_secrets_manager_operator.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "bitwarden_secrets_manager_operator.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "bitwarden_secrets_manager_operator.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "bitwarden_secrets_manager_operator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "bitwarden_secrets_manager_operator.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "bwsm-sa" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/bitwarden_secrets_manager_operator/templates/bwsm-operator-deployment.yaml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    {{- include "bitwarden_secrets_manager_operator.labels" . | nindent 4 }}
+  name: {{ include "bitwarden_secrets_manager_operator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "bitwarden_secrets_manager_operator.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "bitwarden_secrets_manager_operator.labels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "bitwarden_secrets_manager_operator.serviceAccountName" . }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          env:
+            - name: BWS_ACCESS_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.bitwarden_secrets_manager_secret.name }}
+                  key: {{ .Values.bitwarden_secrets_manager_secret.key }}

examples/bwsm_crd.yaml → charts/bitwarden_secrets_manager_operator/templates/bwsm_crd.yaml

@@ -3,18 +3,20 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   # name must match the spec fields below, and be in the form: <plural>.<group>
-  name: bitwardensecrets.bitwarden.com
+  name: bitwardensecrets.bwsm.com
+  labels:
+    {{- include "bitwarden_secrets_manager_operator.labels" . | nindent 4 }}
 spec:
   # group name to use for REST API: /apis/<group>/<version>
-  group: bitwarden.com
+  group: bwsm.com
   # either Namespaced or Cluster
-  scope: Namespaced
+  scope: Cluster
   names:
     kind: BitwardenSecret
     singular: bitwardensecret
     plural: bitwardensecrets
     shortNames:
-    - bws
+      - bws
   # list of versions supported by this CustomResourceDefinition
   versions:
     - name: v1
@@ -33,3 +35,5 @@ spec:
                   type: string
                 secretUUID:
                   type: string
+                secretNamespace:
+                  type: string

examples/clusterrole.yaml → charts/bitwarden_secrets_manager_operator/templates/clusterrole.yaml

@@ -5,13 +5,20 @@ metadata:
   name: bwsm_cluster_role
 rules:
   - apiGroups:
-      - ""
+      - "bwsm.com"
     resources:
-      - BitwardenSecrets
+      - bitwardensecrets
     verbs:
       - get
       - watch
       - list
+  - apiGroups:
+      - ""
+    resources:
+      - "secrets"
+    verbs:
+      - "create"
+      - "update"
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -24,5 +31,5 @@ roleRef:
   name: bwsm_cluster_role
 subjects:
   - kind: ServiceAccount
-    name: bwsm_sa
-    namespace: shell-operator
+    name: {{ include "bitwarden_secrets_manager_operator.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}

charts/bitwarden_secrets_manager_operator/templates/serviceaccount.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "bitwarden_secrets_manager_operator.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}